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FACTORING  NUMBERS  IN  O(log  n)  ARITHMETIC  STEPS 


Adi  Shamir 

Department  of  Mathematics 
Massachusetts  Institute  of  Technology 
Cambridge,  Massachusetts  02139 

Abstract 

In  this  paper  we  show  that  a non-trivial  factor  cJ  a 

composite  number  n can  be  found  by  performing  arithmetic 

steps  in  a number  proportional  to  the  number  of  bits  in  n, 

and  thus  there  are  extremely  short  straight-line  factoring 

programs.  However,  this  theoretical  result  does  not  imply 

that  natural  numbers  can  be  factored  in  polynomial  time  in 

the  Turing-Machine  model  of  complexity,  since  the  numbers 

2 

operated  on  can  be  as  big  as  2^  , thus  requiring  exponen- 

tially many  bit  operations. 

This  report  was  prepared  with  the  support  of  the  Office  of  Naval  Research  Grant 
No.  N000-14-76-C-0366  and  National  Science  Foundation  Grant  No.  77-1975AMCS. 
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I.  Introduction. 

The  problems  of  primality  checking  and  factoring  of 
natural  numbers  have  been  given  much  attention  in  the  last  four 
centuries.  The  development  of  efficient  algorithms  for  these 
problems  is  not  only  theoretically  interesting,  but  can  also 
have  important  practical  consequences  (for  example,  in  the  field 
of  cryptography  — see  Rivest,  Sheunir  and  Adleman  [1]).  While 
it  is  relatively  easy  to  determine  that  a given  number  n is 
composite,  actually  finding  its  factors  seems  to  be  a much 
harder  problem.  To  date,  all  the  algorithms  developed  for 
this  purpose  run  in  time  which  is  non-polynomial  in  the  length  of 
the  binary  representation  of  n (e.g.,  Pollard  [21). 

In  this  paper,  we  consider  the  inherent  difficulty  of  the 
factoring  problem  from  the  point  of  view  of  another  natural 
measure  of  complexity,  namely  the  number  of  arithmetic  steps 
(addition,  subtraction,  multiplication  and  integer  division) 
needed  in  order  to  solve  the  problem.  We  develop  an  algorithm 
which  finds  a non-trivial  factor  of  a composite  number  n in 
O(log  n)  arithmetic  steps,  and  we  conjecture  that  it  is  optimal. 
This  result  does  not  imply  that  natural  numbers  can  be  factored 
in  polynomial  time,  since  our  measure  of  complexity  ignores 
the  size  of  the  numbers  involved.  The  algorithm  presented  in 
this  paper  is  thus  mainly  of  theoretical  interest,  showing  that 
surprisingly  short  straight-line  computer  programs  can  factor 


natural  numbers. 


3 


r ^ 

i ^ 


II.  The  Mcxiel. 

We  consider  a very  simple  model  of  a computer,  consisting 
of  registers  and  a CPU.  There  is  a fixed  number  of  registers 
(R  through  R ) , each  one  of  which  can  hold  a single  integer  of 
unbounded  size.  The  CPU  contains  a program,  which  is  a finite 
sequence  of  labelled  instructions  of  the  following  types: 

(i)  L:  R^  R.  * R . , where  L is  a label  and  * is  +, 

m 1 3 

• or  T (a  T b is  the  largest  integer  not  exceeding 
the  rational  quotient  a/b) . 

(ii)  L:  if  R >0  then  go  to  L,  else  go  to  L. . 

m X z 

(iii)  L:  Print  (R  ) . 

m 

(iv)  L:  Halt. 

The  arithmetic  complexity  of  a program  is  the  function  a(n) 
giving  for  each  input  n the  number  of  arithmetic  instructions 
of  type  (i)  performed  until  the  computer  halts;  if  the  computer 
loops  forever,  a(n)  = ». 

A factoring  algorithm  is  a progreun  which  finds  emd  prints 
out  for  any  composite  natural  number  n (initially  placed  in  R^) 
a non-trivial  factor  1 < f < n that  divides  n;  if  n is  a prime, 
the  program  halts  without  printing  emything.  Such  a program 
can  serve  as  the  nucleus  of  more  complicated  types  of  factoring 
algorithms.  For  example,  in  order  to  find  the  complete  prime 
factorization  of  a given  number  n,  it  suffices  to  find  such  a 
factor  f (which  is  not  necessarily  a prime!)  and  then  to  re- 
cursively find  the  complete  prime  factorizations  of  f and  of 
n T f. 


I 
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III.  A Fast  Method  for  Computing  Factorials. 

Our  factorization  algorithm  is  based  on  a method  for  com- 
puting the  factorial  function  ni  which  has  a low  arithmetic 
complexity.  In  [3],  Pratt  uses  a clever  partition  of  the  n 
factors  in  nl  in  order  to  reduce  the  obvious  0(n)  algorithm  to 
an  almost  0(/n)  algorithm,  but  this  complexity  is  still  too 
high.  An  O(log  n)  algorithm  is  implicit  in  Davis'  paper  (4]  on 
the  unsolvability  of  Hilbert's  10th  problem,  but  a somewhat 
differently  structured  method  is  needed  in  order  to  obtain 
the  final  O(log  n)  factoring  algorithm.  The  method  we  describe 

has  the  additional  advantage  of  using  smaller  intermediate 

2 

numbers,  thus  reducing  the  space  requirements  from  n lug  n 
2 

bits  to  n bits  (note  that  n log  n bits  are  necessary  just  in 
order  to  hold  the  final  value  nl  in  binary  representation) . 

Let  n be  an  even  natural  number.  Then  by  definition 
fnl  nl 


from  which  we  get  the  recursive  relation 


If  n is  an  odd  natural  number,  we  use  the  identity 
(2)  nl  = n*(n-l)l 

in  which  n-1  is  even  and  (1)  is  applicable.  Thus  for  any  n, 
the  calculation  of  nl  can  be  quickly  reduced  to  that  of  calcu- 
lating (n  f 2)1.  What  remains  to  be  done  is  to  find  an  efficient 

f 2k^ 

method  for  calculating  the  log  n terms  of  the  form  . (with 


k = n f 2 for  l£i<_log  n)  obtained  when  the  recursive  definition 
is  unfolded. 

Consider  now  the  binomial  identity: 


(3) 


(2*'  + 1)^*^ 


2k 

2k 

L 

j»0 

. j , 

j 


If  this  number  is  written  in  binary  representation,  then  each 
summand  is  just  the  binary  representation  of  shifted 

left  ll*j  bits.  By  making  I big  enough,  each  can  be  shifted 

to  a distinct  block  of  £.  bits  in  the  binary  representation  of 
(2*'  + 1)^^,  and  thus  can  be  easily  isolated.* 

The  minimum  usable  value  of  the  block  size  is  just  the 
number  of  bits  occupied  by  the  largest  term  of  the  form  . 

Since 


j=o^  j 


= 2 


2k 


any  block  size  of  ^ 2k  bits  can  be  used.  In  particular,  the 
2k1 

j can  be  found  by  isolating  the  middle  block  of  2k 


value  of 
bits  in 


(4)  (2^^  + l)^*' 


In  order  to  find  the  arithmetic  complexity  of  this  process, 
we  note  that  the  2k^^  power  of  a number  can  be  calculated  in 
O(log  k)  arithmetic  steps  by  the  well  known  method  of  successive 


* To  isolate  the  lower  m bits  in  a register  R,  calculate 

R'  R - (R  T 2"')  *2™;  to  isolate  bits  m^^  + 1 through  m2  in  R, 

subtract  the  lower  m,  bits  in  R from  the  lower  m_  bits  in  R, 

■L  mn  * 

and  divide  the  result  by  2 


! 
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squarings.*  Using  this  method  twice  in  succession,  (4)  can  also 

be  calculated  in  O(log  k)  arithmetic  steps.  The  calculation  of 

the  powers  of  2 used  in  isolating  the  middle  block  in  (4) 

requires  a similar  number  of  steps,  and  thus  any  term  of  the 

form  can  be  calculated  in  O(log  k)  steps. 

In  order  to  calculate  ni  in  our  method,  we  have  to  find  the 

values  of  for  all  k of  the  form  k = n i 2^,  l^i^logn.  The 

2 

discussion  above  shows  how  to  do  it  in  O(log  n)  arithmetic  steps, 
but  a simple  trick  C2m  reduce  it  to  O(log  n) . 

Since  all  the  values  of  k satisfy  2k  ± n,  we  can  replace 


the  variable  block  size  i = 2k  by  the  uniform  block  size  f » n. 

4.V.  f2kl 
and  thus  , 
k 

bits  in 


can  also  be  isolated  as  the  middle  block  of  n 


(5) 


(2"  + 1)^^ 


However,  since  each  k is  n t 2 for  some  i,  all  the  log  n numbers 
of  the  form  (5)  can  be  obtained  free  as  the  intermediate  stages 
in  the  calculation  of  the  single  number 


(6) 


(2"  + 1)" 


by  the  successive  squarings  method 1 A similar  trick  can  be  used 
in  the  computation  of  the  powers  of  2 used  in  order  to  isolate 
the  middle  blocks , and  thus  the  arithmetic  complexity  of  our 


* Using  the  recursive  relation 

.x/2j2 

x-1 


X _ / if  X is  even 


a*a 


if  X is  odd 
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algorithm  for  computing  n!  is  just  O(log  n) . 

A final  remark  about  space  requirements.  Due  to  the  special 
form  of  the  main  recursive  definition  (equations  (1)  and  (2)), 
it  is  easy  to  translate  it  into  a simple  iterative  loop  in  which 
the  register  which  eventually  contains  n!  is  either  squared  or 
multiplied  by  an  auxiliary  register.  This  eliminates  the  need 
for  a recursion  stack.  Furthermore,  no  temporary  storage  is 
needed  for  the  log  n numbers  , since  they  are  used  in  the 

same  natural  order  in  which  they  are  produced  when  (6)  is 
evaluated.  The  entire  algorithm  can  thus  be  in^lemented  with  a 
(small)  fixed  number  of  registers,  without  using  any  data- 
compacting  techniques.  The  biggest  number  stored  in  these 
registers  is  (2”  +1)”  itself,  which  needs  O(n^)  bits  in  its 
binary  representation. 


Factoring  Natural  Numbers. 


Once  we  have  an  O(log  n)  algorithm  for  computing  factorials, 
an  O(log  n)  factoring  algorithm  is  trivial  to  construct.  If 
i < n are  two  natural  numbers,  then  the  greatest  common  divisor 
(ged)  of  n and  i!  is  greater  than  1 iff  n has  a factor  j satisfying 
l<j£i.  Consequently,  in  order  to  find  the  smallest  prime 
factor  of  n,  we  can  perform  a binary  search  on  the  values  of  i, 
using  the  predicate  gcd(n,i!)  = 1 as  the  criterion  for  increasing 
i. 

For  any  given  value  of  i,  il  can  be  computed  in  O(log  n) 
arithmetic  steps.  Even  though  il  can  be  an  enormous  number. 
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the  calculation  of  gcd(n,il)  requires  only  min (log  n,log  il) 

< log  n arithmetic  steps  (a  thorough  discussion  of  gcd  algo- 
rithms appears  in  Knuth  (51).  The  number  of  gcd  calculations 

in  the  binary  search  is  again  bounded  by  log  n,  and  thus  the 

2 

smallest  (prime)  factor  of  n can  be  found  in  O(log  n)  arithme- 
tic steps. 

In  order  to  construct  an  improved  O(log  n)  factoring 
algorithm,  we  have  to  replace  the  relatively  expensive  gcd(n,i!) 
operation  by  the  much  cheaper  operation  of  reduction  modulo  n 
(i!(mod  n)  can  be  calculated  by  just  three  arithmetic  operations 
as  i!  - (il  T n) ‘n) . 

Let  i^  be  the  least  natural  number  in  the  range  l^if^n 
which  satisfies  the  predicate  il  = 0 (mod  n)  (since  n divides  n! , 
there  is  at  least  one  such  i) , and  let  f be  gcd(n,i^).  By  a 
variant  of  Wilson’s  theorem  (see  [6]),  a natural  number  n > 4 
is  composite  iff  (n  - 1) 1 = 0 (mod  n) , and  thus  f^i^<n  whenever 
n > 4 is  composite.  On  the  other  hand,  f cannot  be  1,  since 
by  assumption  n does  not  divide  (i^  - 1)1  but  does  divide 
i^l  = i^* (i^  -1)1.  Consequently,  l<f<n  is  a non-trivial 
factor  of  n whenever  n > 4 is  composite,  and  f = n whenever 
n > 4 is  a prime.  Note  that  f is  not  necessarily  the  smallest 
factor  (or  even  a prime  factor)  of  n,  as  demonstrated  in  the 
case  n = 18,  i^  = 6 , f = 6. 

The  factorization  problem  has  thus  been  reduced  to  the 
problem  of  finding  i^,  since  f can  be  calculated  from  n and  i^ 
in  at  most  log  n additional  steps.  The  predicate  i!  | 0 (mod  n) 
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has  the  useful  property  that  = 0 (mod  n)  and  imply 

that  12!  = 0 (mod  n) , which  makes  a fast  binary  search  possible. 

However,  so  far  the  algorithm's  arithmetic  complexity  is  still 
2 

O(log  n) , since  log  n factorials  (each  one  of  which  requires 
O(log  n)  steps)  must  be  evaluated.  We  shall  now  make  use  of 
our  factorial  algorithm's  special  structure  in  order  to  combine 
many  of  the  subcomputations  involved.  Throughout  the  discussion, 
n is  assumed  to  be  greater  than  4 . 

Rather  than  find  i^  directly,  we  first  find  the  interval 
between  two  successive  powers  of  2 in  which  it  is  contained. 

If  2^^  is  the  smallest  power  of  2 which  exceeds  n,  then  calcu- 
lating 2^^i  (in  O(log  n)  arithmetic  steps)  in  our  method  gives 
us  the  factorials  of  all  the  smaller  powers  of  2 for  free. 

By  reducing  each  one  of  these  factorials  mod  n (using  3 arith- 
metic steps),  we  can  find  in  just  O(log  n)  arithmetic  steps  j 

the  (uniquely  defined)  pow^r  such  that  2^°!  ^ 0 (mod  n)  j 

and  2^°  ! = 0(mod  n)  . By  the  definition  of  i^,  2^°<i^<^2^° 

If  we  try  to  locate  i^  by  binarily  searching  in  the 
interval  (2^°,2^°  ],  we  run  into  a problem;  the  successive 

factorials  we  have  to  calculate  are  no  longer  related  in  an 

obvious  way,  and  calculating  each  one  separately  leaves  us  j 

2 

with  an  O(log  n)  algorithm.  We  bypass  this  difficulty  by 
spending  log  n steps  at  this  stage  on  the  evaluation  of 

f = gcd(n,2^°!)  and  then  distinguishing  between  two  cases:  | 

(i)  If  f ^ 1,  then  f is  a non-trivial  factor  of  n (f  = n 

the  assumption  that  2^°!  ? 0 (mod  n)  ) , and  we 
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do  not  have  to  proceed. 

(ii)  If  f = 1,  then  the  evaluation  of  the  predicate  il  | 0 (mod  n) 
for  i in  the  range  of  interest  can  be  simplifed  considerably, 
as  described  below. 

Do  D i 

Let  i be  an  even  integer,  2 <i<2 


By  (1), 


i!  = 


(if- 


and  j 


3o. 


By  assumption,  gcd(n,2  1}  - 1,  and  thus  also 


gcd(n,j!)  = 1 and  gcd(n,(^I)  ) = 1.  Consequently,  n divides  i! 


if  and  only  if  n divides 


, and  thus  the  predicate 


i!  = 0 (mod  n)  can  be  replaced  by  the  easier  predicate 


1 


3o+l 


= 0 (mod  n)  for  any  even  i in  the  interval  (2  ,2  1.  Odd 


integers  in  this  interval  are  treated  similarly,  by  using  the 


identity  i!  = i» (i  - 1)!  first. 


When  the  interval  (2^°,2^°  is  binarily  searched  for 


the  value  of  i^,  at  most  log  n numbers  of  the  form 


have  to 


be  calculated,  and  then  reduced  modulo  n.  What  remains  to  be 
done  is  to  show  that  all  these  numbers  can  be  calculated  in 
0(log  n)  arithmetic  steps. 


can  be  iso- 


As  described  in  Section  III,  each  number 

lated  as  the  middle  block  of  n bits  in  (2"+l)^.  We  can  pre- 
calculate (in  log  n steps)  these  i^^  powers  for  all  the  values 
of  i which  are  powers  of  2,  and  store  them  in  successive  blocks 


of  bits  in  one  of  the  registers  (with  the  biggest  power 


occupying  the  lowest  order  bits).  The  value  of  (2*^+1)^  for  any 


11 


other  i can  now  be  calculated  as  a partial  product  of  these 


precalculated  numbers,  using  the  binary  representation  of  i 

as  a guide  (for  example,  (2*'+l)^®  = (2*'+l)  (2”+l)  ^)  . 

The  binary  search  for  the  value  of  i in  the  interval 

o 

3o  3o+l 

(2  ,2  1 can  be  easily  arranged  in  such  a way  that  a new 

trial  value  differs  from  the  previous  trial  value  ij^  by 

jo“l«  jn+1 

exactly  2 (k  = l,2,...,j^),  with  i^^  = 2 .In  this  case, 

(2^+1)  can  be  obtained  from  (2”+l)^^  by  multiplying  or 

n yjo~^ 

dividing  the  latter  by  the  precomputed  value  (2  +1)  , which 

is  a single  operation.  Since  we  use  the  precomputed  powers  in 
a simple  high-to-low  order,  we  can  right  shift  the  storage 
register  after  each  use  in  such  a way  that  the  next  power  to 
be  used  is  readily  available  in  the  low  order  bits  of  the 
register. 

An  improved  method,  which  does  not  use  a storage  register, 

is  to  replace  the  "binary  search"  by  a "Fibonacci  search";  note 

n F • 

that  numbers  of  the  form  (2+1)  ^ can  be  quickly  calculated  in 

either  an  ascending  or  a descending  order  by  multiplying  or 

dividing  a pair  of  successive  elements  in  this  sequence.  While 

it  is  possible  to  squeeze  the  log  n precomputed  numbers  in  the 

2 

simple  method  into  an  0(n  ) bit  storage  register  (by  using 

variable-size  blocks  and  a tricky  retrieval  scheme) , the  improved 

2 

method  gives  a straightforward  0(n  ) bound  on  the  memory  re- 
quirements of  our  factoring  algorithm. 

This  complete  the  proof  that  a non-trivial  factor  of  a 
number  n (if  it  exists)  can  be  found  by  performing  at  most 


r 

12 

i O(log  n)  arithmetic  operations.  An  interesting  open  problem 

i 

is  to  determine  whether  O(log  n)  is  also  a lower  bound  on  the 
arithmetic  complexity  of  factoring  algorithms.  We  conjecture 
that  it  is. 
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